issues.guix.gnu.org certificate expired

issues.guix.gnu.org certificate expired

[Andy Tai]

trying to connect to is using Firefox, Firefox says:

----
Did Not Connect: Potential Security Issue

Firefox detected an issue and did not continue to issues.guix.gnu.org.
The website is either misconfigured or your computer clock is set to
the wrong time.

It’s likely the website’s certificate is expired, which prevents
Firefox from connecting securely.

The issue is most likely with the website, and there is nothing you
can do to resolve it. You can notify the website’s administrator about
the problem.

Re: issues.guix.gnu.org certificate expired

[Christopher Baines]

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

Andy Tai <atai@atai.org> writes:

> trying to connect to is using Firefox, Firefox says:
>
> ----
> Did Not Connect: Potential Security Issue
>
> Firefox detected an issue and did not continue to issues.guix.gnu.org.
> The website is either misconfigured or your computer clock is set to
> the wrong time.
>
> It’s likely the website’s certificate is expired, which prevents
> Firefox from connecting securely.
>
> The issue is most likely with the website, and there is nothing you
> can do to resolve it. You can notify the website’s administrator about
> the problem.

I've restarted NGinx on berlin now to address the immediate issue.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 987 bytes --]

[PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.

[Carlo Zancanaro]

* hydra/modules/sysadmin/services.scm (%certbot-deploy-hook): New
variable.
(%certbot-job): Pass %certbot-deploy-hook to certbot invocation.
---

I think this patch should resolve the certificate issue more
permanently. I haven't tested it at all, but I mostly just stole it
from Guix's certbot service. I know it works there, so I'm just
assuming it will work here, too.

 hydra/modules/sysadmin/services.scm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/hydra/modules/sysadmin/services.scm b/hydra/modules/sysadmin/services.scm
index 128b0c1..3d996f5 100644
--- a/hydra/modules/sysadmin/services.scm
+++ b/hydra/modules/sysadmin/services.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2023 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2023 Lars-Dominik Braun <ldb@leibniz-psychology.org>
 ;;; Copyright © 2024 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2024 Carlo Zancanaro <carlo@zancanaro.id.au>
 ;;;
 ;;; This program is free software: you can redistribute it and/or modify
 ;;; it under the terms of the GNU General Public License as published by
@@ -616,11 +617,19 @@ to a selected directory.")
                   `(("nginx" ,(file-append nginx "/share/nginx/conf")))))
 
 
+(define %certbot-deploy-hook
+  ;; Reload nginx after a new certificate is deployed.
+  (with-imported-modules '((gnu services herd))
+    #~(begin
+        (use-modules (gnu services herd))
+        (with-shepherd-action 'nginx ('reload) result result))))
+
+
 (define %certbot-job
   ;; Attempt to renew the Let's Encrypt certificate twice a week.
   #~(job "30 0 * * 2,5"
          (string-append #$certbot "/bin/certbot renew \
---webroot --webroot-path /var/www")))
+--webroot --webroot-path /var/www --deploy-hook " #$certbot-deploy-hook)))
 
 
 \f

base-commit: 489fc437c7b3aa0af41a40d6090eb4c51ced0028
-- 
2.41.0

Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.

[Ludovic Courtès]

Hi,

Carlo Zancanaro <carlo@zancanaro.id.au> skribis:

> * hydra/modules/sysadmin/services.scm (%certbot-deploy-hook): New
> variable.
> (%certbot-job): Pass %certbot-deploy-hook to certbot invocation.

Applied, thanks!

> I think this patch should resolve the certificate issue more
> permanently. I haven't tested it at all, but I mostly just stole it
> from Guix's certbot service. I know it works there, so I'm just
> assuming it will work here, too.

Right.  However, issues.guix.gnu.org is actually hosted on bayfront,
which uses ‘certbot-service-type’ already (see ‘hydra/bayfront.scm’).
Could it be that it’s not working as advertised?

Ludo’.

Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.

[Carlo Zancanaro]

On Mon, Jun 17 2024, Ludovic Courtès wrote:
> Right.  However, issues.guix.gnu.org is actually hosted on bayfront,

I'm not so sure about this. To make the change that I sent I grepped for
issues.guix.gnu.org and it showed up in hydra/nginx/berlin.scm in a
variable called %berlin-servers, which is used in %nginx-configuration
in that same file. This is included into hydra/berlin.scm and used in
the nginx configuration for berlin.guix.gnu.org.

From that, I assumed that issues.guix.gnu.org was hosted on berlin. If
I'm wrong about that then I'm very confused!

Carlo

Re: [PATCH maintenance] hydra: services: Reload nginx when certbot updates certificates.

[Andreas Enge]

Am Tue, Jun 18, 2024 at 09:35:10AM +1000 schrieb Carlo Zancanaro:
> I'm not so sure about this. To make the change that I sent I grepped for
> issues.guix.gnu.org and it showed up in hydra/nginx/berlin.scm

Indeed:
$ host issues.guix.gnu.org
issues.guix.gnu.org has address 141.80.181.40

$ host berlin.guix.gnu.org
berlin.guix.gnu.org has address 141.80.181.40

$ host bayfront.guix.gnu.org
bayfront.guix.gnu.org has address 185.233.100.56

So the issues are on (and with?) berlin.

Andreas